TorMail hack, FBI surgical operation, or dragnet surveillance?

In 2013 the FBI agents seized TorMail, now new information are emerging on the operations. Someone believes it was a surgical ops others accuse Feds of dragnet surveillance.

In 2013 the FBI agents seized TorMail, at the time the most popular dark web email services. The US law enforcement agency seized the TorMail database during in concomitants of the seizure of Freedom Hosting, the most popular Tor hidden service operator company. Early 2014, Wired reported that the database was seized due to a completely unrelated investigation aiming to identify cyber criminal organization operating principal black markets in the Tor network.

In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network.

According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.” The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.

Now a report published by the Washington Post confirms that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users. Obviously the US Government would not confirm the circumstance, but it seems that only a limited number of accounts belonging to suspects were hackers. This version doesn’t convict many security experts and privacy advocates that believe the FBI managed a dragnet surveillance against TorMail users.

The attack against Freedom Hosting took advantage of a Firefox Zero-day to identify some users of the Tor anonymity network. The FBI had control of the Freedom Hosting company to investigate on child pornography activities, Freedom Hosting was considered by US law enforcement the largest child porn facilitator on the planet.

“FBI for its analysis exploited a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users, it exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted suspects through a specific external server.

The exploit was based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.

TorMail was one of the web services hosted by Freedom Hosting, so it was subject to investigation by FBI too.

“This week, people familiar with the investigation confirmed that the FBI had used an NIT on TorMail. But, they said, the bureau obtained a warrant that listed specific email accounts within TorMail for which there was probable cause to think that the true user was engaged in illicit child-pornography activities. In that way, the sources said, only suspects whose accounts had in some way been linked to involvement in child porn would have their computers infected.” states the Washington Post report.

“An FBI official who spoke under a similar condition on anonymity said the bureau recognizes that the use of an NIT is “intrusive” and should only be deployed “in the most serious cases.” He said the FBI uses the tool only against offenders who are “the worst of the worst.”

I can report my experience with the TorMail service that I used for research purpose, when I was trying or access the TorMail service it was returning an error page. According to the analysis conducted by the expert that error page was containing the malicious exploit code to track the users.

“There were certainly large numbers of TorMail users who were not engaging in any criminal activity,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told Motherboard. “If the government in fact delivered a NIT to every single person who logged into TorMail, then the government went too far,” he continued.

“Using a privacy preserving communication service is not an invitation, or a justification, for the government to hack your computer.”

I sincerely don’t understand how it is possible to discriminate the users that were not logged in, I remember that the error page was displayed before inserting the login credentials, there was no possibility to discriminate my account from others.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.